Introduction to the Basic Cisco Voip (AVVID) Components

Introduction to the Basic Cisco Voip (AVVID) Components

Before launching into the attacks and countermeasures, we'll provide an overview of the basic Cisco AVVID components.

IP PBX and Proxy

Cisco's VoIP PBX, otherwise known as the Cisco Unified CallManager, was originally released as Multimedia Manager 1.0 in 1994 as a videoconferencing signaling controller. In 1997, it was renamed Selsius-CallManager and had evolved into a VoIP call router. Cisco then acquired Selsius in 1998, at which time the product was built on Windows NT 3.51 and was subsequently renamed Cisco CallManager. Even though Cisco CallManager is a software application, it is installed and sold on customized hardware platforms called Cisco Media Convergence Servers (MCS) ( or

In March 2006, Cisco added the "Unified" moniker to all of its VoIP and video products, and the newly dubbed Cisco Unified CallManager was released under versions 4.2 and 5.0. The 5. x branch is a major departure from the traditional Windows-based 3. x and 4. x installations in that the CallManager software actually runs on a Linux appliance instead of an MCS. While users of the 3. x and 4. x CallManager had fairly open access to the underlying Windows Server 2003 or Microsoft Windows 2000 Server, the 5. x Linux appliances are locked down with only a management interface for most administrative functions. Also available from Cisco is the Cisco Unified CallManager Express ( or, which is a slimmed-down version of CallManager that is embedded on certain supported routers running IOS. Each CallManager Unified Express installation can support up to 240 lines in comparison to the standard Unified CallManager deployment that can support up to 30,000 lines per server.

At the time of this book's publication, the majority of large enterprise deployments were still running versions 4. x, so we decided to concentrate on those instead of the fairly new 5. x deployments. With the exception of the OS-specific attacks, most of the other exploits and countermeasures are also applicable to the 5. x branch of CallManager as well.

Hard Phones

Cisco sells a plethora of VoIP phones. As of the time of this book's publication, these are the most popular:

  • Cisco Unified IP Phone 7985G    A personal desktop videophone that enables instant, face-to-face communications, the Cisco Unified IP Phone 7985G incorporates a camera, LCD screen, speaker, keypad, and handset into a single, easy-to-use unit.

    image from book
  • Cisco Unified IP Phones 7971G-GE, 7961G-GE, and 7941G-GE    A suite of IP phones that delivers Gigabit Ethernet Voice over IP.

    image from book
  • Cisco Unified IP Phones 7970G, 7961G, 7960G, 7941G, and 7940G    These phones feature high-resolution display capabilities, XML applications, multiple lines, and an intuitive interface for business professionals.

    image from book
  • Cisco Unified IP Phones 7912G, 7911G, and 7905G    These phones feature a single-line, pixel display for XML capabilities.

    image from book
  • Cisco Unified Wireless IP Phone 7920    This phone delivers up to six extensions, a menu-driven graphical interface, and faster roaming.

    image from book
  • Cisco Unified IP Phone 7902G    This single-line, entry-level IP phone does not have a display and is designed to meet basic calling requirements for environments such as lobbies , laboratories, manufacturing floors, and hallways.

    image from book

A complete list of phones is available on Cisco's website at


Cisco provides a softphone client called Cisco IP Communicator that runs on a Windows PC and integrates with your existing CallManager deployment ( or The client has most of the basic features of the hard phones and is targeted at remote workers or road warriors.

image from book

Communication Between Cisco Phones and CallManager with SCCP (Skinny)

Skinny Client Control Protocol (SCCP but nicknamed "Skinny") is Cisco's proprietary lightweight H.323-like signaling protocol used between Cisco Unified CallManager and Cisco Unified phones. Because the Skinny protocol is proprietary to Cisco, there are not many public references on its internals or format. There are, however, some open source implementations of SCCP including an Asterisk SCCP module, as well as a Wireshark SCCP dissector.

Cisco IP phones are, in general, fairly dependent on the CallManager to perform most of their functions. For instance, if a phone is taken off the cradle, it will communicate this fact to the CallManager, which will then instruct the phone to play the appropriate dialtone. By itself and disconnected from the CallManager, the phone can't play the tone.

A Skinny client (in other words, the IP phone) uses TCP/IP over port 2000 to communicate with the CallManager and all messages are nonencrypted. The following is a list of valid Skinny messages:

 Code Station Message ID Message 0x0000                Keep Alive Message 0x0001                Station Register Message 0x0002                Station IP Port Message 0x0003                Station Key Pad Button Message 0x0004                Station Enbloc Call Message 0x0005                Station Stimulus Message 0x0006                Station Off Hook Message 0x0007                Station On Hook Message 0x0008                Station Hook Flash Message 0x0009                Station Forward Status Request Message 0x11                  Station Media Port List Message 0x000A                Station Speed Dial Status Request Message 0x000B                Station Line Status Request Message 0x000C                Station Configuration Status Request Message 0x000D                Station Time Date Request Message 0x000E                Station Button Template Request Message 0x000F                Station Version Request Message 0x0010                Station Capabilities Response Message 0x0012                Station Server Request Message 0x0020                Station Alarm Message 0x0021                Station Multicast Media Reception Ack Message 0x0024                Station Off Hook With Calling Party Number Message 0x22                  Station Open Receive Channel Ack Message 0x23                  Station Connection Statistics Response Message 0x25                  Station Soft Key Template Request Message 0x26                  Station Soft Key Set Request Message 0x27                  Station Soft Key Event Message 0x28                  Station Unregister Message 0x0081                Station Keep Alive Message 0x0082                Station Start Tone Message 0x0083                Station Stop Tone Message 0x0085                Station Set Ringer Message 0x0086                Station Set Lamp Message 0x0087                Station Set Hook Flash Detect Message 0x0088                Station Set Speaker Mode Message 0x0089                Station Set Microphone Mode Message 0x008A                Station Start Media Transmission 0x008B                Station Stop Media Transmission 0x008F                Station Call Information Message 0x009D                Station Register Reject Message 0x009F                Station Reset Message 0x0090                Station Forward Status Message 0x0091                Station Speed Dial Status Message 0x0092                Station Line Status Message 0x0093                Station Configuration Status Message 0x0094                Station Define Time & Date Message 0x0095                Station Start Session Transmission Message 0x0096                Station Stop Session Transmission Message 0x0097                Station Button Template Message 0x0098                Station Version Message 0x0099                Station Display Text Message 0x009A                Station Clear Display Message 0x009B                Station Capabilities Request Message 0x009C                Station Enunciator Command Message 0x009E                Station Server Respond Message 0x0101                Station Start Multicast Media Reception Message 0x0102                Station Start Multicast Media Transmission Message 0x0103                Station Stop Multicast Media Reception Message 0x0104                Station Stop Multicast Media Transmission Message 0x105                 Station Open Receive Channel Message 0x0106                Station Close Receive Channel Message 0x107                 Station Connection Statistics Request Message 0x0108                Station Soft Key Template Respond Message 0x109                 Station Soft Key Set Respond Message 0x0110                Station Select Soft Keys Message 0x0111                Station Call State Message 0x0112                Station Display Prompt Message 0x0113                Station Clear Prompt Message 0x0114                Station Display Notify Message 0x0115                Station Clear Notify Message 0x0116                Station Activate Call Plane Message 0x0117                Station Deactivate Call Plane Message 0x118                 Station Unregister Ack Message 

SCCP Call Flow Walk Through

The following diagrams illustrate the call setup of a phone call between two SCCP-enabled phones. Figure 7-1 shows an initial call setup as a user dials the extension 3068.

image from book
Figure 7-1: The SCCP call setup

Figure 7-2 illustrates the next stage of the phone call in which the RTP media setup occurs. The StartMediaTransmission or OpenLogicalChannel message is the one that actually signifies when the media stream is established; only after both phones have received this message can the conversation begin.

image from book
Figure 7-2: The media setup

Figure 7-3 illustrates the call teardown scenario once the receiving party hangs up the phone.

image from book
Figure 7-3: The session teardown

Making Sense of an SCCP Call Trace

 Companion Web Site   Wireshark ( is a great tool for deciphering Skinny traffic that has been sniffed from the network. Because Skinny messages are unencrypted, it's relatively easy to make sense of the communication going on between a phone and the CallManager. As an example, we've made available a packet trace from our own Cisco VoIP lab of the standard communication that occurs between a Skinny phone and the CallManager when a call is placed. The trace is available at When you open the trace in Wireshark, it will look like Figure 7-4. The IP address of our Cisco 7912 IP phone is and the IP address of our CallManager server is

image from book
Figure 7-4: Loading the traffic capture of Skinny communications in Wireshark

Lifting the Phone from the Cradle   The first thing that happens in the trace once we lift the phone off the cradle is a Skinny OffHookMessage is sent in packet 7 to the CallManager. This, in turn , triggers a flurry of Skinny messages (packets 817) from the CallManger to the phone, ending on the Skinny StartToneMessage message, which tells the phone to play a standard dial tone.

Dialing Numbers    In the example recorded in the trace, we dialed extension 2012. Notice that once we press the 2 button, a KeypadButtonMessage is sent from the phone to the CallManager in packet 18. If you click the packet and expand the details in Wireshark, you can clearly see the number 2 in the KeypadButton field (0x000000002). The CallManager sends two Skinny messages in response: the first one is a StopToneMessage in packet 19, which stops the dial-tone sound being played on the phone; and the second Skinny message, shown in packet 20, tells the phone the appropriate tone to play for the number that we pressed. The remaining numbers that we dialed0, 1, and 2are illustrated in packets 23, 25, and 27 respectively.

Call in Progress   Starting at packets 3133, the CallManager updates the LCD display and dial tone of the phone to indicate that the call is being initiated and the receiving phone (x2012) is ringing. Through Skinny messages in packets 3442, the CallManager communicates with the phone at extension 2012 (IP address in order to set it to ring. For more information on how SCCP works, check out the book Troubleshooting Cisco IP Telephony by Paul Giralt, Addis Hallmark, and Anne Smith (Cisco Press, 2002).


Cisco Unity is Cisco's voicemail solution that integrates with preexisting data stores such as Microsoft Exchange and Lotus Domino, for instance. Most Unity installations are sold by resellers on top of Media Convergence Servers or compatible IBM servers as is the CallManager. The Cisco Unity 4. x software runs on Windows Server 2003 or Microsoft Windows 2000 Server.

Switches and Routing

For the purposes of this chapter in examining the typical Cisco enterprise VoIP deployment, we're assuming that most switches and routers are Cisco branded as well. Therefore, the countermeasures and exploits will be specific to Cisco networking devices.

You can find more information on Cisco's line of switches and routers at the following links:



As you will see for many Cisco-specific recommendations in the following sections, it is necessary to have an almost homogenous Cisco network environment in order to implement many of them. This has its plusses and minuses, of course, depending on whether or not you've already spent the money to upgrade your networking environment to all Cisco.

Hacking Exposed VoIP. Voice Over IP Security Secrets & Solutions
Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
ISBN: 0072263644
EAN: 2147483647
Year: 2004
Pages: 158

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: